Presentation is loading. Please wait.

Presentation is loading. Please wait.

0x440 Network Sniffing.

Published byMelvyn Lucas Modified over 8 years ago

Similar presentations

Presentation on theme: "0x440 Network Sniffing."— Presentation transcript:

1 0x440 Network Sniffing

2 Network Sniffing Sniffing Tools ARP Spoofing

3 What is the Network Sniffing
The act of capturing packets that aren’t necessarily meant for public viewing is called SNIFFING

4 Two Sniffing Flows According to Network
Non-switched network environment Setting the promiscuous mode Packet-capturing Switched network environment ARP spoofing

5 Non-switched vs. Switched Network
The flow of traffic in a non-switched network (cont.) It should be noted that step 3 and 4 can be reversed in order

6 Non-switched vs. Switched Network
The flow of traffic in a non-switched network Step 1 Node A transmits a frame to Node C Step 2 Hub will broadcast this frame to active port Setp 3 Node B will receive the frame and will examine the address in the frame. After determining that it is not the intended host, it will discard the frame Step 4 Node C will receive the frame and will examine the address in the frame. After determining that it is the intended host. it will process the frame further

7 Non-switched vs. Switched Network
How to generate Canary Non-switched vs. Switched Network The flow of traffic in a switched network (cont.)

8 Non-switched vs. Switched Network
The flow of traffic in a switched network Step 1 Node A transmits a frame to Node C Step 2 The switch will examine this frame and determi ne what the intended host is. It will then set up a connection between Node A and Node C so that they have a ‘private’ connection Setp 3 Node C will receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further

9 Sniffing Non-switched Network
For a host to be used as a sniffing agent, NIC must be set to the promiscuous mode After the promiscuous mode is set... NIC no longer drop network frames which are addressed to other hosts

10 Sniffing Non-switched Network
Setting the promiscuous mode $ sudo ifconfig eth0 promisc

11 Packet Capturing Tools
Sniffers tcpdump dsniff Raw socket sniffer raw_tcpsniff pcap_sniff (with libpcap) decode_sniff (with libpcap)

12 Sniffer: tcpdump $ sudo tcpdump –X ‘ip host <victim IP>’

13 Sniffer: dsniff $ sudo dsniff –n

14 Packet Capturing Tools
Sniffers tcpdump dsniff Raw socket sniffer raw_tcpsniff pcap_sniff (with libpcap) decode_sniff (with libpcap)

15 # Raw Socket Raw socket is an network socket that allows direct sending and receiving of Internet protocol packets without any protocol-specific transport layer formatting Raw socket is specified by suing SOCK_RAW as the type There are multiple protocol options IPPROTO_TCP, IPPROTO_UDP, IPROTO_ICMP

16 Raw Socket Sniffer: raw_tcpsniff
raw_tcpsniff.c

17 Raw Socket Sniffer: raw_tcpsniff
$ gcc –o raw_tcpsniff raw_tcpsniff.c $ sudo ./raw_tcpsniff

18 Raw Socket Sniffer with Libpcap: pcap_sniff
pcap_sniff.c

19 Raw Socket Sniffer with Libpcap: pcap_sniff
$ gcc –o pcap_sniff pcap_sniff.c –lpcap $ sudo ./pcap_sniff

20 Raw Socket Sniffer with Libpcap: decode_sniff
decode_sniff.c

21 Raw Socket Sniffer with Libpcap: decode_sniff
decode_sniff.c

22 Raw Socket Sniffer with Libpcap: Decode_sniff
decode_sniff.c

23 Raw Socket Sniffer with Libpcap: decode_sniff
$ gcc –o decode_sniff decode_sniff.c –lpcap $ sudo ./decode_sniff

24 Sniffing Switched Networks
ARP spoofing One of the basic operations of the Ethernet protocol revolves around ARP (Address Resolution Protocol) requests and replies. In general, when Node A wants to communicate with Node C on the network, it sends an ARP request. Node C will send an ARP reply which will include the MAC address. Even in a switched environment, this initial ARP request is sent in a broadcast manner. It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A. This fake ARP reply will specify that Node B has the MAC address of Node C. Node A will unwittingly send the traffic to Node B since it professes to have the intended MAC address.

25 Sniffing Switched Network
ARP spoofing using NEMESIS (cont.) Attacker IP: MAC: 00:00:00:BB:BB:BB Victim1 IP: MAC: 00:00:00:AA:AA:AA Victim2 IP: MAC: 00:00:00:CC:CC:CC

26 Sniffing Switched Network
ARP spoofing using NEMESIS (cont.) Attacker (System B) → Victim1 (System A) $ sudo nemesis arp –v –r –d eth0 –S –D -h 00:00:00:BB:BB:BB -m 00:00:00:AA:AA:AA -H 00:00:00:BB:BB:BB -M 00:00:00:AA:AA:AA Attacker (System B) → Victim2 (System C) $ sudo nemesis arp –v –r –d eth0 –S –D -h 00:00:00:BB:BB:BB -m 00:00:00:CC:CC:CC -H 00:00:00:BB:BB:BB -M 00:00:00:CC:CC:CC

27 Sniffing Switched Network
ARP spoofing using NEMESIS ARP Cache of Victim1 (System A) ARP Cache of Victim2 (System C)

28 the end

Download ppt "0x440 Network Sniffing."

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
ARP AND RARP ROUTED AND ROUTING Tyler Bish. ARP There are a variety of ways that devices can determine the MAC addresses they need to add to the encapsulated.

ARP AND RARP ROUTED AND ROUTING Tyler Bish. ARP There are a variety of ways that devices can determine the MAC addresses they need to add to the encapsulated.
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.

ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
1 ICS 156: Lecture 2 (part 2) Data link layer protocols Address resolution protocol Notes on lab 2.

1 ICS 156: Lecture 2 (part 2) Data link layer protocols Address resolution protocol Notes on lab 2.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CSEE W4140 Networking Laboratory

CSEE W4140 Networking Laboratory
An introduction to Network Analyzers Dr. Farid Farahmand 3/23/2009.

An introduction to Network Analyzers Dr. Farid Farahmand 3/23/2009.
1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)

1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)
CSEE W4140 Networking Laboratory Lecture 2: ARP Jong Yul Kim 02.01.2010.

CSEE W4140 Networking Laboratory Lecture 2: ARP Jong Yul Kim
Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.

Detection of Promiscuous nodes Using Arp Packets By Engin Arslan.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE00378-1.

Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE

Similar presentations

Ads by Google